<!doctype html>
<html lang="en-US">
<head>
	<meta charset="UTF-8">
	<meta name="viewport" content="width=device-width, initial-scale=1">
	<link rel="profile" href="https://gmpg.org/xfn/11">

	<!-- Pingdom Real User Monitoring -->
	<script>
	var _prum = [['id', '56a14edeabe53deb7ff24334'],
	             ['mark', 'firstbyte', (new Date()).getTime()]];
	(function() {
	    var s = document.getElementsByTagName('script')[0]
	      , p = document.createElement('script');
	    p.async = 'async';
	    p.src = '//rum-static.pingdom.net/prum.min.js';
	    s.parentNode.insertBefore(p, s);
	})();
	</script>
	<!-- End Pingdom Real User Monitoring -->

	<title>New Strain of Sotdas Malware Discovered | Qualys Security Blog</title>

<!-- The SEO Framework by Sybre Waaijer -->
<meta name="description" content="There are numerous malicious codes that are currently active on smart devices, such as Ddosf, Dofloo, Gafgyt, MrBlack, Persirai, Sotdas, Tsunami, Triddy, Mirai&#8230;" />
<meta property="og:image" content="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-1_Daemon-function-code-snippet.jpg" />
<meta property="og:locale" content="en_US" />
<meta property="og:type" content="article" />
<meta property="og:title" content="New Strain of Sotdas Malware Discovered | Qualys Security Blog" />
<meta property="og:description" content="There are numerous malicious codes that are currently active on smart devices, such as Ddosf, Dofloo, Gafgyt, MrBlack, Persirai, Sotdas, Tsunami, Triddy, Mirai, Moose, and Satori, among others." />
<meta property="og:url" content="https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered" />
<meta property="og:site_name" content="Qualys Security Blog" />
<meta property="og:updated_time" content="2023-05-18T04:04+00:00" />
<meta property="article:publisher" content="https://www.facebook.com/qualys" />
<meta property="article:published_time" content="2023-05-18T04:03+00:00" />
<meta property="article:modified_time" content="2023-05-18T04:04+00:00" />
<meta name="twitter:card" content="summary_large_image" />
<meta name="twitter:site" content="@qualys" />
<meta name="twitter:title" content="New Strain of Sotdas Malware Discovered | Qualys Security Blog" />
<meta name="twitter:description" content="There are numerous malicious codes that are currently active on smart devices, such as Ddosf, Dofloo, Gafgyt, MrBlack, Persirai, Sotdas, Tsunami, Triddy, Mirai, Moose, and Satori, among others." />
<meta name="twitter:image" content="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-1_Daemon-function-code-snippet.jpg" />
<link rel="canonical" href="https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered" />
<script type="application/ld+json">{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"https://blog.qualys.com/","name":"Qualys Security Blog"}},{"@type":"ListItem","position":2,"item":{"@id":"https://blog.qualys.com/category/vulnerabilities-threat-research","name":"Vulnerabilities and Threat Research"}},{"@type":"ListItem","position":3,"item":{"@id":"https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered","name":"New Strain of Sotdas Malware Discovered"}}]}</script>
<!-- / The SEO Framework by Sybre Waaijer | 3.71ms meta | 0.80ms boot -->

<link rel='dns-prefetch' href='//cdnjs.cloudflare.com' />
<link rel='dns-prefetch' href='//static.cloud.coveo.com' />
<link rel='dns-prefetch' href='//stats.wp.com' />
<link rel='dns-prefetch' href='//v0.wordpress.com' />
<link rel="alternate" type="application/rss+xml" title="Qualys Security Blog &raquo; Feed" href="https://blog.qualys.com/feed" />
<link rel="alternate" type="application/rss+xml" title="Qualys Security Blog &raquo; Comments Feed" href="https://blog.qualys.com/comments/feed" />
<link rel="alternate" type="application/rss+xml" title="Qualys Security Blog &raquo; New Strain of Sotdas Malware Discovered Comments Feed" href="https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered/feed" />
<link rel='stylesheet' id='wp-block-library-css' href='https://ik.imagekit.io/qualys/wp-includes/css/dist/block-library/style.min.css?ver=6.2.2' media='all' />
<style id='wp-block-library-inline-css'>
.has-text-align-justify{text-align:justify;}
</style>
<link rel='stylesheet' id='jetpack-videopress-video-block-view-css' href='https://ik.imagekit.io/qualys/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-videopress/build/block-editor/blocks/video/view.css?minify=false&#038;ver=34ae973733627b74a14e' media='all' />
<link rel='stylesheet' id='mediaelement-css' href='https://ik.imagekit.io/qualys/wp-includes/js/mediaelement/mediaelementplayer-legacy.min.css?ver=4.2.17' media='all' />
<link rel='stylesheet' id='wp-mediaelement-css' href='https://ik.imagekit.io/qualys/wp-includes/js/mediaelement/wp-mediaelement.min.css?ver=6.2.2' media='all' />
<link rel='stylesheet' id='classic-theme-styles-css' href='https://ik.imagekit.io/qualys/wp-includes/css/classic-themes.min.css?ver=6.2.2' media='all' />
<style id='global-styles-inline-css'>
body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--duotone--dark-grayscale: url('#wp-duotone-dark-grayscale');--wp--preset--duotone--grayscale: url('#wp-duotone-grayscale');--wp--preset--duotone--purple-yellow: url('#wp-duotone-purple-yellow');--wp--preset--duotone--blue-red: url('#wp-duotone-blue-red');--wp--preset--duotone--midnight: url('#wp-duotone-midnight');--wp--preset--duotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}body .is-layout-flow > .alignleft{float: left;margin-inline-start: 0;margin-inline-end: 2em;}body .is-layout-flow > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}body .is-layout-flow > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > .alignleft{float: left;margin-inline-start: 0;margin-inline-end: 2em;}body .is-layout-constrained > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}body .is-layout-constrained > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > :where(:not(.alignleft):not(.alignright):not(.alignfull)){max-width: var(--wp--style--global--content-size);margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > .alignwide{max-width: var(--wp--style--global--wide-size);}body .is-layout-flex{display: flex;}body .is-layout-flex{flex-wrap: wrap;align-items: center;}body .is-layout-flex > *{margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;}
.wp-block-navigation a:where(:not(.wp-element-button)){color: inherit;}
:where(.wp-block-columns.is-layout-flex){gap: 2em;}
.wp-block-pullquote{font-size: 1.5em;line-height: 1.6;}
</style>
<link rel='stylesheet' id='community-shared-css' href='https://ik.imagekit.io/qualys/wp-content/themes/qualys2020/style/shared.css?ver=1.0.3' media='all' />
<link rel='stylesheet' id='community-shared-30em-css' href='https://ik.imagekit.io/qualys/wp-content/themes/qualys2020/style/shared-min-30em.css?ver=1.0.3' media='screen and (min-width: 30em)' />
<link rel='stylesheet' id='community-shared-60em-css' href='https://ik.imagekit.io/qualys/wp-content/themes/qualys2020/style/shared-min-60em.css?ver=1.0.3' media='screen and (min-width: 60em)' />
<link rel='stylesheet' id='qualys2020-style-css' href='https://ik.imagekit.io/qualys/wp-content/themes/qualys2020/style.css?ver=1.0.3' media='all' />
<link rel='stylesheet' id='qualys2020-highlightjs-dark-css' href='https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.6.0/styles/a11y-dark.min.css?ver=6.2.2' media='all' />
<link rel='stylesheet' id='coveo-css' href='https://static.cloud.coveo.com/searchui/v2.10085/2/css/CoveoFullSearch.min.css?ver=6.2.2' media='all' integrity='sha512-SvJKQ8/gNL2d8gVWx23GajIUPZAK+F83AI2pXl+pV0X3BfK6R3uBpEHo8CDv1YuIFzfvfs6znp77Amaj3te0xQ==' crossorigin='anonymous' />
<link rel='stylesheet' id='fancybox-styles-css' href='https://cdnjs.cloudflare.com/ajax/libs/fancybox/3.5.7/jquery.fancybox.min.css?ver=6.2.2' media='all' />
<link rel='stylesheet' id='jetpack_css-css' href='https://ik.imagekit.io/qualys/wp-content/plugins/jetpack/css/jetpack.css?ver=12.2' media='all' />
<script id='jetpack_related-posts-js-extra'>
var related_posts_js_options = {"post_heading":"h4"};
</script>
<script src='https://ik.imagekit.io/qualys/wp-content/plugins/jetpack/_inc/build/related-posts/related-posts.min.js?ver=20211209' id='jetpack_related-posts-js'></script>
<script src='https://ik.imagekit.io/qualys/wp-includes/js/codemirror/codemirror.min.js?ver=5.29.1-alpha-ee20357' id='wp-codemirror-js'></script>
<link rel="https://api.w.org/" href="https://blog.qualys.com/wp-json/" /><link rel="alternate" type="application/json" href="https://blog.qualys.com/wp-json/wp/v2/posts/33129" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://blog.qualys.com/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://blog.qualys.com/wp-includes/wlwmanifest.xml" />
<link rel="alternate" type="application/json+oembed" href="https://blog.qualys.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fblog.qualys.com%2Fvulnerabilities-threat-research%2F2023%2F05%2F17%2Fnew-strain-of-sotdas-malware-discovered" />
<link rel="alternate" type="text/xml+oembed" href="https://blog.qualys.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fblog.qualys.com%2Fvulnerabilities-threat-research%2F2023%2F05%2F17%2Fnew-strain-of-sotdas-malware-discovered&#038;format=xml" />
	<style>img#wpstats{display:none}</style>
		<link rel="icon" href="https://ik.imagekit.io/qualys/wp-content/uploads/2017/07/cropped-qualys-150x150.png" sizes="32x32" />
<link rel="icon" href="https://ik.imagekit.io/qualys/wp-content/uploads/2017/07/cropped-qualys-300x300.png" sizes="192x192" />
<link rel="apple-touch-icon" href="https://ik.imagekit.io/qualys/wp-content/uploads/2017/07/cropped-qualys-300x300.png" />
<meta name="msapplication-TileImage" content="https://ik.imagekit.io/qualys/wp-content/uploads/2017/07/cropped-qualys-300x300.png" />

	<!-- Google Tag Manager -->
	<script>
		if (!window.location.search.match(/[?&;]dnt=1([;&]|$)/)) {

			(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
			new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
			j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
			'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
			})(window,document,'script','dataLayer','GTM-W7DWPS');

		}
	</script>
	<!-- End Google Tag Manager -->

</head>

<body class="post-template-default single single-post postid-33129 single-format-standard">

<!-- Google Tag Manager (noscript) -->
<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-W7DWPS"
height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
<!-- End Google Tag Manager (noscript) -->

<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-dark-grayscale"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0 0.498039215686" /><feFuncG type="table" tableValues="0 0.498039215686" /><feFuncB type="table" tableValues="0 0.498039215686" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-grayscale"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0 1" /><feFuncG type="table" tableValues="0 1" /><feFuncB type="table" tableValues="0 1" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-purple-yellow"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0.549019607843 0.988235294118" /><feFuncG type="table" tableValues="0 1" /><feFuncB type="table" tableValues="0.717647058824 0.254901960784" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-blue-red"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0 1" /><feFuncG type="table" tableValues="0 0.278431372549" /><feFuncB type="table" tableValues="0.592156862745 0.278431372549" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-midnight"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0 0" /><feFuncG type="table" tableValues="0 0.647058823529" /><feFuncB type="table" tableValues="0 1" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-magenta-yellow"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0.780392156863 1" /><feFuncG type="table" tableValues="0 0.949019607843" /><feFuncB type="table" tableValues="0.352941176471 0.470588235294" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-purple-green"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0.650980392157 0.403921568627" /><feFuncG type="table" tableValues="0 1" /><feFuncB type="table" tableValues="0.447058823529 0.4" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-blue-orange"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0.0980392156863 1" /><feFuncG type="table" tableValues="0 0.662745098039" /><feFuncB type="table" tableValues="0.847058823529 0.419607843137" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg>
	<!-- Google Tag Manager (noscript) -->
	<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-W7DWPS"
	height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
	<!-- End Google Tag Manager (noscript) -->

	
<div class="q-header__background">
	<header class="q-header site-header" id="masthead">
		<div class="q-header__container">
			<div class="q-hamberger-menu">
				<div class="q-hamburger-menu__icon">
					<svg width="23" height="23" viewBox="0 0 23 23" version="1.1" xmlns="http://www.w3.org/2000/svg">
						<g fill="currentColor">
							<rect id="Rectangle1" x="0" y="5" width="23" height="3" rx="1.5"></rect>
							<rect id="Rectangle2" x="0" y="10" width="23" height="3" rx="1.5"></rect>
							<rect id="Rectangle3" x="0" y="15" width="23" height="3" rx="1.5"></rect>
						</g>
					</svg>
				</div>
				<div class="q-hamburger-menu__container">
					<ul id="primary-menu" class="q-header__nav"><li id="menu-item-26462" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-26462 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/">Discussions</a>
<ul class="sub-menu q-header__nav-sub">
	<li id="menu-item-26463" class="q-header__nav-back menu-item menu-item-type-custom menu-item-object-custom menu-item-26463 q-navigation__item"><a href="#back">Back to main menu</a></li>
	<li id="menu-item-26464" class="q-browser-by-topic menu-item menu-item-type-custom menu-item-object-custom menu-item-26464 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/">BROWSE BY TOPIC</a><span class="menu-item-description">BROWSE BY TOPIC</span></li>
	<li id="menu-item-26465" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26465 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/topic/0TO2L000000HIRIWA4/asset-management">Global IT Asset Management</a></li>
	<li id="menu-item-26466" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26466 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/topic/0TO2L000000HIRwWAO/it-security">IT Security</a></li>
	<li id="menu-item-26467" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26467 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/topic/0TO2L000000HIS1WAO/compliance">Compliance</a></li>
	<li id="menu-item-26468" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26468 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/topic/0TO2L000000HIRnWAO/cloud-container">Cloud &#038; Container Security</a></li>
	<li id="menu-item-26469" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26469 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/topic/0TO2L000000HISCWA4/web-app-security">Web App Security</a></li>
	<li id="menu-item-26470" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26470 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/topic/0TO2L000000HIRfWAO/certificate-security">Certificate Security &#038; SSL Labs</a></li>
	<li id="menu-item-26471" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26471 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/topic/0TO2L000000HIR8WAO/developer">Developer API</a></li>
	<li id="menu-item-26562" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26562 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/topic/0TO2L000000HIRAWA4/qualys-cloud-platform">Cloud Platform</a></li>
	<li id="menu-item-26472" class="q-button__start-a-discussion q-button__light-blue q-button-with-arrow menu-item menu-item-type-custom menu-item-object-custom menu-item-26472 q-navigation__item"><a href="https://qualys-secure.force.com/discussions/s/#start-a-discussion">Start a discussion</a></li>
</ul>
</li>
<li id="menu-item-26473" class="q-header_blog-link menu-item menu-item-type-custom menu-item-object-custom menu-item-home menu-item-26473 q-navigation__item"><a href="https://blog.qualys.com/">Blog</a></li>
<li id="menu-item-26474" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26474 q-navigation__item"><a href="https://www.qualys.com/training/">Training</a></li>
<li id="menu-item-26475" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26475 q-navigation__item"><a href="https://www.qualys.com/documentation/">Docs</a></li>
<li id="menu-item-26476" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26476 q-navigation__item"><a href="https://qualys-secure.force.com/customer/s/">Support</a></li>
<li class="q-header__nav-underline"></li></ul>				</div>
			</div>
			<a class="q-header__logo q-header__logo-community" href="https://community.qualys.com/" title="Qualys Community">
				<span class="q-logo-shield">
					<svg  width="111" height="35" alt="Qualys" class="q-logo__horizontal" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 933.884 293.111"><path d="M123.073 0c80.158 0 120.462 42.888 120.462 42.888s4.608 31.746 1.667 95.667c-4.443 96.56-122.1 154.55-122.111 154.556s-117.666-57.996-122.11-154.556c-2.941-63.921 1.667-95.667 1.667-95.667s40.268-42.888 120.425-42.888z" fill="#ed2e26"/><path d="M394.178 75.824a70.586 70.586 0 0 0-70.506 70.506c0 23.533 9.89 44.5 28.6 60.641 17.522 15.113 42.649 25.532 71.66 30.36 4.149-2.279 11.994-9.969 14.492-15.236-21.375-3.687-31.178-7.346-31.178-7.346a40.676 40.676 0 0 0 8.23-1.652c28.556-8.009 49.489-36.214 49.208-66.766-.357-38.876-31.628-70.507-70.506-70.507zm0 120.714a50.208 50.208 0 1 1 50.209-50.208 50.265 50.265 0 0 1-50.209 50.208zM915.488 189.828a11.292 11.292 0 0 1 15.377 0 11.587 11.587 0 0 1 0 15.6 11.3 11.3 0 0 1-15.377 0 11.587 11.587 0 0 1 0-15.6zm1.556 14.095a8.969 8.969 0 0 0 12.264 0 9.539 9.539 0 0 0 0-12.609 9.025 9.025 0 0 0-12.264 0 9.544 9.544 0 0 0 0 12.609zm10.708-9.106a3.558 3.558 0 0 1-2.654 3.568l3.066 4.806h-2.381l-2.791-4.668h-1.418v4.668h-2.014v-11.9h4.393a3.924 3.924 0 0 1 2.747.963 3.3 3.3 0 0 1 1.052 2.562zm-6.178-1.65v3.479h2.106a2.06 2.06 0 0 0 1.44-.481 1.622 1.622 0 0 0 .526-1.258q0-1.738-1.966-1.739zM784.087 178.724l-23.814-63.187h-21.219l34.746 88.2s-15.371 36.539-15.365 36.536c10.113 0 21.176-.714 25.5-11.37 10.152-24.993 45.505-113.365 45.505-113.365h-21.221zM704.493 210.246s19.7-.365 19.7-13.729v-120.033h-19.7zM663.646 127.976c-5.485-7.649-16.2-15.073-31.971-15.073-26.92 0-47.221 20.937-47.221 48.7 0 12.977 4.437 25.036 12.494 33.955 8.715 9.649 20.724 14.748 34.727 14.748 13.567 0 25.184-5.534 31.971-15.014v14.951s19.7-.312 19.7-13.719v-80.99h-19.7zm-29.5 63.789c-11.908 0-29.72-7.947-30-29.839v-.157c0-17.288 12.754-30.325 29.666-30.325 12.633 0 22.9 6.6 27.487 17.711a27.268 27.268 0 0 1 2.509 12.733 32.62 32.62 0 0 1-3.023 12.869c-4.633 10.65-14.595 17.008-26.641 17.008zM548.568 166.874c0 15.9-8.26 24.745-23.244 24.891-15.2 0-22.587-8.627-22.587-26.373v-49.855h-19.695v53.806c0 7.767 1.309 18.842 7.548 27.506 6.375 8.854 16.452 13.382 29.945 13.459h.553c16.138 0 24.448-7.315 28.468-13v12.934s18.707-.319 18.707-13.062v-81.643h-19.7zM876.661 152.965c-10.235-4.424-17.676-8.25-17.545-14.185.087-3.927 5.259-7.687 10.637-7.5 5.756.2 10.023 4.168 12.4 7.344 0 0 10.76-9.2 12.062-10.183a30.164 30.164 0 0 0-25.661-14.657 27.317 27.317 0 0 0-28.054 26.48c-.285 12.937 7.292 18.276 17.23 23.913l16.357 9.2c3.774 2.639 5.554 4.609 5.464 8.669-.14 6.362-5.461 10.486-12.352 10.893-5.069.3-9.232-2.631-13.176-6.759-7.677-8.034-19.46-4.172-23.065-3.01 7.5 17.24 21.68 27.279 35.849 27.591 17.844.393 32.118-12.777 32.5-29.983.174-8.286-3.456-18.578-22.646-27.813z" fill="#262626"/><path d="M62.924 126.929c0-34.142 26.991-61.918 60.167-61.918a60.285 60.285 0 0 1 60.217 60.217c0 26.507-22.786 48.316-40.348 59.523 6.813 3.887 21.849 7.969 36.245 9.289a86.906 86.906 0 0 0 33.843-68.811 89.957 89.957 0 1 0-179.913 0c0 29.958 12.474 56.571 36.072 76.964 22.063 19.065 54.336 31.791 91.081 37.816 7.96-4.4 21.576-17.387 26.681-24.99-30.688-3.947-59.732-11.431-79.2-21.645-29.757-15.609-44.845-37.964-44.845-66.445z" fill="#fff"/></svg>
				</span>
				<span class="q-logo-text">Community</span>
			</a>
			<div class="q-user-menu">
				<div class="q-user-menu__icon hidden">
					<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="19" height="23">
						<g fill="currentColor">
							<g transform="translate(3 -.093)">
								<path d="M6.284.092a5.709 5.709 0 1 1-.002 11.418A5.709 5.709 0 0 1 6.284.092"></path>
							</g>
							<g transform="translate(0 11.907)">
								<path d="M.187 7.575C-.476 9.195.703 11 2.47 11h13.922c1.767 0 2.946-1.804 2.283-3.425C16.945 3.45 13.445.65 9.431.65c-4.015 0-7.55 2.8-9.244 6.925"></path>
							</g>
						</g>
					</svg>
				</div>
			</div>
		</div>
	</header><!-- #masthead -->
</div>

<div class="q-search__container">
	<div class="q-search">

		<div id="searchbox">
			<div class="q-coveo__wrapper">
				<div class="q-coveo-searchbutton">
					<div class="CoveoSearchButton"></div>
				</div>
				<div class="q-coveo-querybox">
					<div class="CoveoOmnibox" data-enable-query-suggest-addon="true"></div>
				</div>
			</div>
		</div>

	</div>
</div>

<div id="page" class="q-main_content">

	
		<div class='q-home-header__sidebar q-blog__home-link'>
		<div class='q-blog__home-link-wrapper'>
			<div class="q-menu__home-container"><ul id="menu-blog-home" class="menu"><a href='/'>
					<img class='link-arrow' src='https://d1uyme8f6ss6qi.cloudfront.net/image/icon/link-arrow-left.svg' width='7' height='10'>
					<span>Blog Home</span>
				</a></li>
</ul></div>		</div>
	</div>

	
	<div class="q-main_content-container">

	<main id="primary" class="site-main q-single__post-content">

		
<article id="post-33129" class="post-33129 post type-post status-publish format-standard hentry category-vulnerabilities-threat-research tag-malware tag-vulnerabilities">
	<header class="entry-header">
		<h1 class="q-blog__post-title">New Strain of Sotdas Malware Discovered</h1>		<div class="q-post__entry-header-outerwrapper">
			<div class="q-post__entry-header-wrapper">
				<div class="q-post__entry-header">
					<div class="q-post__entry-avatar">
						<img src='https://secure.gravatar.com/avatar/afb3cedd4e370f6368f7f3fd9f4abcda?s=110&#038;d=mm&#038;r=g' width='54' alt='Viren Chaudhari' />					</div>
					<div class="entry-meta q-post__entry-meta">
						<div class="q-post__entry-author">
							<span class="byline"> <span class="author vcard"><a class="url fn n" href="https://blog.qualys.com/author/vchaudhari">Viren Chaudhari</a></span></span>						</div>
						<div class="q-post__entry-time">
							<span class="posted-on"><a href="https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered" rel="bookmark"><time class="entry-date published" datetime="2023-05-17T21:03:47-07:00">May 17, 2023</time><time class="updated" datetime="2023-05-17T21:04:23-07:00">May 17, 2023</time></a></span> - 11 min read						</div>
					</div>
				</div>
				<div class="q-post__entry-vote">
					<div class='likebutton likebutton_json' data-postid='33129' data-style='style1'></div>				</div>
			</div>
					</div>
			</header>

	<div class="entry-content q-single__post-wrapper q-has-toc">

		<div class="q-single__post--toc"><div class="toc"><h4>Table of Contents</h4><ul><li><a href='#introduction'>Introduction</a></li><li><a href='#executive-summary'>Executive Summary</a></li><li><a href='#analysis-of-the-sample'>Analysis of the sample:</a></li><li><a href='#conclusion'>Conclusion</a></li><li><a href='#detections'>Detections</a></li><li><a href='#hashes'>Hashes</a></li><li><a href='#domain'>Domain</a></li><li><a href='#directories'>Directories</a></li><li><a href='#mitre-attck-techniques'>MITRE ATT&CK Techniques</a></li></ul></div></div>
		<div class="q-single__post--content">
			
<h2 id="introduction" class="wp-block-heading">Introduction&nbsp;</h2>



<p>There are numerous malicious codes that are currently active on smart devices, such as Ddosf, Dofloo, Gafgyt, MrBlack, Persirai, Sotdas, Tsunami, Triddy, Mirai, Moose, and Satori, among others. These malicious codes and their variants can intrude into and control smart devices through Telnet, SSH, and other remote management services weak password vulnerabilities, operating system vulnerabilities, Web and other application vulnerabilities, and brute force password cracking.&nbsp;&nbsp;</p>



<p>We will delve into the latest variant of the Sotdas malware, which boasts a range of innovative features and advanced defense evasion techniques. The family of Sotdas written in C++ has been active since many years and it has been characterized by the presence of the strings ‘g_nIsStopDDOS’, ‘DOSSTAT’ or ‘# chkconfi g: 2345 77 37’.&nbsp; The malware is potentially used to gather information about a compromised system, run in the background undetected, and execute malicious actions. These techniques include setting up a daemon process, creating an init script, monitoring system resources, and gathering language information.&nbsp;</p>



<h2 id="executive-summary" class="wp-block-heading">Executive Summary</h2>



<p>The Sotdas malware possesses several capabilities that make it a significant threat in the cyber landscape.&nbsp;</p>



<span id="more-33129"></span>



<ol start="1">
<li><strong>Persistence</strong>: It can establish persistence on compromised systems by creating startup entries and copying itself to system directories.&nbsp;&nbsp;</li>



<li><strong>Information gathering</strong>: Sotdas can gather valuable system information, such as CPU and memory details, network interface information, and CPU utilization.&nbsp;</li>



<li><strong>Defense evasion</strong>: Sotdas exhibits advanced defense evasion techniques by setting up a daemon process, using /proc to determine the absolute path of its executable, and utilizing system V runlevel configuration.&nbsp;</li>



<li><strong>DNS Tunneling</strong>: Sotdas employs DNS tunneling for communication with its command and control (C&amp;C) server, utilizing custom DNS query messages and encoding the payload within DNS record.&nbsp;</li>
</ol>



<h2 id="analysis-of-the-sample" class="wp-block-heading">Analysis of the sample:&nbsp;</h2>



<h3 class="wp-block-heading">A. Setting up a Daemon Process and Using /proc to Determine the Absolute Path of the Executable</h3>


<div class="wp-block-image">
<figure class="aligncenter size-full"><a data-fancybox href="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-1_Daemon-function-code-snippet.jpg"><img data-attachment-id="33149" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered/attachment/figure-1_daemon-function-code-snippet" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-1_Daemon-function-code-snippet.jpg" data-orig-size="1243,571" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="Figure-1_Daemon-function-code-snippet" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-1_Daemon-function-code-snippet-300x138.jpg" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-1_Daemon-function-code-snippet-1070x492.jpg" decoding="async" loading="lazy" width="1243" height="571" src="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-1_Daemon-function-code-snippet.jpg" alt="" class="wp-image-33149" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-1_Daemon-function-code-snippet.jpg 1243w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-1_Daemon-function-code-snippet-300x138.jpg 300w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-1_Daemon-function-code-snippet-1070x492.jpg 1070w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-1_Daemon-function-code-snippet-768x353.jpg 768w" sizes="(max-width: 1243px) 100vw, 1243px" /></a><figcaption class="wp-element-caption">Figure 1: Daemon function code snippet&nbsp;</figcaption></figure></div>


<p>This Sotdas code written in C++ programming language appears to be setting up a daemon process in Linux using the daemon() function and then passing a string to esi which might be a key or configuration value for the daemonized process. The daemon function allows the malware to run continuously in the background even after the user logs out or the system is rebooted.&nbsp;</p>



<p>In this case, the code sets nochdir to 1, which means the daemon process will not change its working directory to /, and sets noclose to 0, which means the standard input/output/error streams will be redirected to /dev/null. This is a common pattern in malware to hide its output from the user.&nbsp;</p>



<p>After setting up the daemon, the code calls the signal() function to register a signal handler for the SIGTERM signal (signal number 0Dh). This allows the process to handle the signal gracefully and perform any necessary cleanup before terminating.&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-full"><img data-attachment-id="33150" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered/attachment/figure-2_-proc-to-determine-absolute-path-of-executable" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-2_-proc-to-Determine-Absolute-Path-of-Executable.jpg" data-orig-size="525,898" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="Figure-2_-proc-to-Determine-Absolute-Path-of-Executable" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-2_-proc-to-Determine-Absolute-Path-of-Executable-300x513.jpg" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-2_-proc-to-Determine-Absolute-Path-of-Executable.jpg" decoding="async" loading="lazy" width="525" height="898" src="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-2_-proc-to-Determine-Absolute-Path-of-Executable.jpg" alt="" class="wp-image-33150" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-2_-proc-to-Determine-Absolute-Path-of-Executable.jpg 525w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-2_-proc-to-Determine-Absolute-Path-of-Executable-300x513.jpg 300w" sizes="(max-width: 525px) 100vw, 525px" /><figcaption class="wp-element-caption">Figure 2: /proc to Determine Absolute Path of Executable&nbsp;</figcaption></figure></div>


<p>In Linux, /proc is a virtual filesystem that provides information about running processes and system resources. The /proc/self directory refers to the current process, while /proc/self/exe is a symbolic link to the executable file of the current process.&nbsp;</p>



<p>In the given code snippet, the readlink() system call is used to read the contents of the /proc/self/exe symbolic link into a buffer pointed to by the path variable. This is done in order to determine the absolute path of the executable file of the current process.&nbsp;</p>



<p>Knowing the absolute path of the executable file can be useful in many situations, such as for identifying the location of the binary on disk, for determining the working directory of the process, or for accessing other files that are located in the same directory as the executable.&nbsp;</p>



<h3 class="wp-block-heading">B. Setting up System V runlevel&nbsp;</h3>



<figure class="wp-block-image size-full"><a data-fancybox href="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-3_-Sotdas-malware-sets-up-runlevels.jpg"><img data-attachment-id="33151" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered/attachment/figure-3_-sotdas-malware-sets-up-runlevels" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-3_-Sotdas-malware-sets-up-runlevels.jpg" data-orig-size="1603,217" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="Figure-3_-Sotdas-malware-sets-up-runlevels" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-3_-Sotdas-malware-sets-up-runlevels-300x41.jpg" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-3_-Sotdas-malware-sets-up-runlevels-1070x145.jpg" decoding="async" loading="lazy" width="1603" height="217" src="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-3_-Sotdas-malware-sets-up-runlevels.jpg" alt="" class="wp-image-33151" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-3_-Sotdas-malware-sets-up-runlevels.jpg 1603w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-3_-Sotdas-malware-sets-up-runlevels-300x41.jpg 300w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-3_-Sotdas-malware-sets-up-runlevels-1070x145.jpg 1070w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-3_-Sotdas-malware-sets-up-runlevels-768x104.jpg 768w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-3_-Sotdas-malware-sets-up-runlevels-1536x208.jpg 1536w" sizes="(max-width: 1603px) 100vw, 1603px" /></a><figcaption class="wp-element-caption">Figure 3: Sotdas malware sets up runlevels&nbsp;</figcaption></figure>



<p>The malware is attempting to create a file containing this shell script and then execute it. The first line specifies that the script should be interpreted by the Bash shell. The second line sets up the daemon to run on runlevels 2, 3, 4, and 5, with a start priority of 77 and a stop priority of 37. The third line provides a description of the daemon process. The fourth line sets up the daemon to run in the background using the setsid command.&nbsp;&nbsp;</p>



<h3 class="wp-block-heading">C. <strong>Setting Up Init script and Symlink</strong>&nbsp;</h3>


<div class="wp-block-image">
<figure class="aligncenter size-full"><img data-attachment-id="33152" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered/attachment/figure-4_-malware-creates-startup-entries-and-copies-itself-to-system-directories" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-4_-Malware-creates-Startup-Entries-and-copies-itself-to-system-directories.jpg" data-orig-size="532,960" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="Figure-4_-Malware-creates-Startup-Entries-and-copies-itself-to-system-directories" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-4_-Malware-creates-Startup-Entries-and-copies-itself-to-system-directories-300x541.jpg" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-4_-Malware-creates-Startup-Entries-and-copies-itself-to-system-directories.jpg" decoding="async" loading="lazy" width="532" height="960" src="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-4_-Malware-creates-Startup-Entries-and-copies-itself-to-system-directories.jpg" alt="" class="wp-image-33152" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-4_-Malware-creates-Startup-Entries-and-copies-itself-to-system-directories.jpg 532w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-4_-Malware-creates-Startup-Entries-and-copies-itself-to-system-directories-300x541.jpg 300w" sizes="(max-width: 532px) 100vw, 532px" /><figcaption class="wp-element-caption">Figure 4: Malware creates Startup Entries and copies itself to system directories&nbsp;</figcaption></figure></div>


<p>the malware code starts by generating a random string of 16 characters, which will be used as a filename for a file that will be created later. The string &#8220;rm -f %s&#8221; creates a command that will remove any existing file with the same name as the generated filename. The command is executed using the system() function. The code then creates a new file with the generated filename using the fwrite() function.&nbsp;</p>



<p>The malware code appears to be searching for a specific string (&#8220;fsb0h`nfnpc&#8221;) in the file system, possibly to identify a specific system to infect. If the string is found, the code executes the following command: &#8220;echo yes|cp -p %s %s&#8221;, where the first &#8220;%s&#8221; is the name of the file created earlier and the second &#8220;%s&#8221; is a path where the file should be copied. The code then waits for 2 seconds using the sleep() function. The code sets the permissions of the copied file to 777 using the &#8220;chmod 777 %s&#8221; command.&nbsp;</p>



<p>It then creates a symbolic link to the copied file in several directories under <code>"/etc/rc*.d/"</code>, which appear to be startup directories for different runlevels in the system. The malware creates symbolic links in the <code>/etc/rc2.d, /etc/rc3.d, /etc/rc4.d, and /etc/rc5.d</code> directories, as well as starting a service using the &#8220;service&#8221; command and an init.d script.&nbsp;&nbsp;</p>



<p>Later, starts a service using sprintf() to create a command string with the format &#8220;service %s start&#8221;, where &#8220;vin`nh&#8221; is the argument to be started.&nbsp;</p>



<h3 class="wp-block-heading">D. Parsing /proc/net/dev to Extract Network Interface Information</h3>



<figure class="wp-block-image size-full"><a data-fancybox href="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-5_-proc-net-dev-–-extract-Network-information.jpg"><img data-attachment-id="33153" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered/attachment/figure-5_-proc-net-dev-extract-network-information" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-5_-proc-net-dev-–-extract-Network-information.jpg" data-orig-size="1684,243" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="Figure-5_-proc-net-dev-–-extract-Network-information" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-5_-proc-net-dev-–-extract-Network-information-300x43.jpg" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-5_-proc-net-dev-–-extract-Network-information-1070x154.jpg" decoding="async" loading="lazy" width="1684" height="243" src="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-5_-proc-net-dev-–-extract-Network-information.jpg" alt="" class="wp-image-33153" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-5_-proc-net-dev-–-extract-Network-information.jpg 1684w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-5_-proc-net-dev-–-extract-Network-information-300x43.jpg 300w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-5_-proc-net-dev-–-extract-Network-information-1070x154.jpg 1070w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-5_-proc-net-dev-–-extract-Network-information-768x111.jpg 768w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-5_-proc-net-dev-–-extract-Network-information-1536x222.jpg 1536w" sizes="(max-width: 1684px) 100vw, 1684px" /></a><figcaption class="wp-element-caption">Figure 5: /proc/net/dev – extract Network information&nbsp;</figcaption></figure>



<p>The snapshot describes the parsing of /proc/net/dev:&nbsp;</p>



<ul>
<li>grep &#8220;\beth&#8221; /proc/net/dev: Filters the output of /proc/net/dev to only include lines that contain the word &#8220;eth&#8221;. This will typically include the network usage statistics for Ethernet interfaces.&nbsp;</li>



<li>cut -d &#8220;:&#8221; -f 2: Uses the cut command to extract the second field of each line, using a colon as the delimiter. This will remove the interface name from the output.&nbsp;</li>



<li>awk &#8216;{print $27}&#8217;: Uses the awk command to extract the 27th field of each line and print it to the console. This will typically be the number of bytes received on the Ethernet interface.&nbsp;</li>
</ul>



<p>By parsing the output of /proc/net/dev, the malware could extract information about the network interfaces on the compromised system and the amount of data being transmitted and received on those interfaces. This information could be useful for monitoring the user&#8217;s internet activity.&nbsp;</p>



<h3 class="wp-block-heading">E. <strong>Monitoring CPU Utilization&nbsp;</strong>&nbsp;</h3>



<figure class="wp-block-image size-full"><a data-fancybox href="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-6_Monitoring-CPU-utilization-using-top-command.jpg"><img data-attachment-id="33154" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered/attachment/figure-6_monitoring-cpu-utilization-using-top-command" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-6_Monitoring-CPU-utilization-using-top-command.jpg" data-orig-size="1827,151" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="Figure-6_Monitoring-CPU-utilization-using-top-command" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-6_Monitoring-CPU-utilization-using-top-command-300x25.jpg" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-6_Monitoring-CPU-utilization-using-top-command-1070x88.jpg" decoding="async" loading="lazy" width="1827" height="151" src="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-6_Monitoring-CPU-utilization-using-top-command.jpg" alt="" class="wp-image-33154" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-6_Monitoring-CPU-utilization-using-top-command.jpg 1827w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-6_Monitoring-CPU-utilization-using-top-command-300x25.jpg 300w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-6_Monitoring-CPU-utilization-using-top-command-1070x88.jpg 1070w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-6_Monitoring-CPU-utilization-using-top-command-768x63.jpg 768w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-6_Monitoring-CPU-utilization-using-top-command-1536x127.jpg 1536w" sizes="(max-width: 1827px) 100vw, 1827px" /></a><figcaption class="wp-element-caption">Figure 6: Monitoring CPU utilization using top command&nbsp;</figcaption></figure>



<p><code>top -bn 1 | grep Cpu | cut -d "," -f 1 | cut -d ":" -f 2</code></p>



<p>The malware runs the top command to print out a snapshot of the current system resource usage, including CPU utilization. This can be useful for monitoring system performance. The malware can ensure that it does not consume too many resources, which could alert the user or system administrator.&nbsp;&nbsp;</p>



<h3 class="wp-block-heading">F. System Information Gathering Commands for Malware: CPU and Memory</h3>



<figure class="wp-block-image size-full"><a data-fancybox href="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-7_Code-snippet-for-information-gathering-for-CPU-and-Memory.jpg"><img data-attachment-id="33155" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered/attachment/figure-7_code-snippet-for-information-gathering-for-cpu-and-memory" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-7_Code-snippet-for-information-gathering-for-CPU-and-Memory.jpg" data-orig-size="1609,325" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="Figure-7_Code-snippet-for-information-gathering-for-CPU-and-Memory" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-7_Code-snippet-for-information-gathering-for-CPU-and-Memory-300x61.jpg" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-7_Code-snippet-for-information-gathering-for-CPU-and-Memory-1070x216.jpg" decoding="async" loading="lazy" width="1609" height="325" src="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-7_Code-snippet-for-information-gathering-for-CPU-and-Memory.jpg" alt="" class="wp-image-33155" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-7_Code-snippet-for-information-gathering-for-CPU-and-Memory.jpg 1609w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-7_Code-snippet-for-information-gathering-for-CPU-and-Memory-300x61.jpg 300w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-7_Code-snippet-for-information-gathering-for-CPU-and-Memory-1070x216.jpg 1070w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-7_Code-snippet-for-information-gathering-for-CPU-and-Memory-768x155.jpg 768w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-7_Code-snippet-for-information-gathering-for-CPU-and-Memory-1536x310.jpg 1536w" sizes="(max-width: 1609px) 100vw, 1609px" /></a><figcaption class="wp-element-caption">Figure 7: Code snippet for information gathering for CPU and Memory&nbsp;</figcaption></figure>



<p><strong>grep &#8220;processor&#8221; /proc/cpuinfo | sort -u | wc -l&nbsp;</strong></p>



<p>This command will output the number of logical CPU cores in the system. It could potentially be used by malware to gather information about the system&#8217;s hardware configuration or to optimize its own resource usage based on the number of available CPU cores&nbsp;</p>



<p><strong>grep &#8220;cpu MHz&#8221; /proc/cpuinfo | cut -d &#8220;:&#8221; -f 2&nbsp;</strong></p>



<p>This command will output the clock speed (in megahertz) for each logical CPU core in the system. However, it could potentially be used by malware to gather information about the system&#8217;s hardware configuration or to optimize its own resource usage based on the available CPU clock speeds.&nbsp;</p>



<p><strong>grep &#8220;MemTotal&#8221; /proc/meminfo | cut -d &#8220;:&#8221; -f 2</strong>&nbsp;</p>



<p>This command will output the total amount of physical memory installed in the system, in kilobytes. Gathering system information such as CPU and memory details can help the malware identify the capabilities of the target system, which could inform its behavior and actions.&nbsp;</p>



<h3 class="wp-block-heading">G. Network Analysis&nbsp;</h3>



<p>The Sotdas malware payload made a DNS query for the domain &#8220;a77jdsadsa98wqefav.sockt.best&#8221;. The query is for an A record (type A, class IN) and is directed to the DNS server at ns0.centralnic.net.&nbsp;</p>



<figure class="wp-block-image size-full"><a data-fancybox href="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-8_CC-communication-with-DNS-records.jpg"><img data-attachment-id="33156" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered/attachment/figure-8_cc-communication-with-dns-records" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-8_CC-communication-with-DNS-records.jpg" data-orig-size="1870,318" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="Figure-8_CC-communication-with-DNS-records" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-8_CC-communication-with-DNS-records-300x51.jpg" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-8_CC-communication-with-DNS-records-1070x182.jpg" decoding="async" loading="lazy" width="1870" height="318" src="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-8_CC-communication-with-DNS-records.jpg" alt="" class="wp-image-33156" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-8_CC-communication-with-DNS-records.jpg 1870w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-8_CC-communication-with-DNS-records-300x51.jpg 300w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-8_CC-communication-with-DNS-records-1070x182.jpg 1070w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-8_CC-communication-with-DNS-records-768x131.jpg 768w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-8_CC-communication-with-DNS-records-1536x261.jpg 1536w" sizes="(max-width: 1870px) 100vw, 1870px" /></a><figcaption class="wp-element-caption">Figure 8: C&amp;C communication with DNS records&nbsp;</figcaption></figure>



<p>The DNS query message is encoded in the payload of the packet, starting at byte offset 42. The message is a standard DNS query message with a single question section. The question section contains the hostname and the query type and class. However, the payload of the DNS query contains a long string of random characters, which is not typical for a legitimate DNS query.&nbsp;&nbsp;</p>



<p>The payload uses a custom implementation of DNS tunneling and sends across the output to the C2 server via DNS query in the form of A records in multiple blocks of queries, where the A record values consists of the encoded command output. The size of a DNS record is limited, so a typical communication between the payload and the C&amp;C server consists of a series of DNS requests and replies, with the command or file transmitted in chunks. To keep track of such a pseudo-connection, both client- and server-side requests have embedded type and transmission ID.&nbsp;</p>



<h3 class="wp-block-heading">H. Eliminating Traces&nbsp;</h3>



<p>The malware performs a series of commands related to removing files. It starts by pushing the rbx register onto the stack and then sets eax to 0. The function then uses the sprintf function to create several commands that remove files:&nbsp;</p>


<div class="wp-block-image">
<figure class="aligncenter size-full"><a data-fancybox href="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-9_-Code-snippet-for-deletion-of-malware-files-using-rm-command.jpg"><img data-attachment-id="33157" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered/attachment/figure-9_-code-snippet-for-deletion-of-malware-files-using-rm-command" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-9_-Code-snippet-for-deletion-of-malware-files-using-rm-command.jpg" data-orig-size="945,919" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="Figure-9_-Code-snippet-for-deletion-of-malware-files-using-rm-command" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-9_-Code-snippet-for-deletion-of-malware-files-using-rm-command-300x292.jpg" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-9_-Code-snippet-for-deletion-of-malware-files-using-rm-command.jpg" decoding="async" loading="lazy" width="945" height="919" src="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-9_-Code-snippet-for-deletion-of-malware-files-using-rm-command.jpg" alt="" class="wp-image-33157" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-9_-Code-snippet-for-deletion-of-malware-files-using-rm-command.jpg 945w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-9_-Code-snippet-for-deletion-of-malware-files-using-rm-command-300x292.jpg 300w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-9_-Code-snippet-for-deletion-of-malware-files-using-rm-command-768x747.jpg 768w" sizes="(max-width: 945px) 100vw, 945px" /></a><figcaption class="wp-element-caption">Figure 9: Code snippet for deletion of malware files using rm command&nbsp;</figcaption></figure></div>


<p>m command for deleting malware traces&nbsp;</p>



<ul>
<li>rm -f /etc/rc2.d/S77%s&nbsp;</li>



<li>rm -f /etc/rc3.d/S77%s&nbsp;</li>



<li>rm -f /etc/rc4.d/S77%s&nbsp;</li>



<li>rm -f /etc/rc5.d/S77%s&nbsp;</li>



<li>rm -f /etc/init.d/%s&nbsp;</li>



<li>rm -f %s&nbsp;</li>
</ul>



<p>The %s in each command appears to be a placeholder that is later replaced with the string &#8220;vinnh&#8221;. After creating each command with sprintf, the function uses the system` function to execute the command. Finally, the function cleans up the stack and returns.&nbsp;</p>



<h2 id="conclusion" class="wp-block-heading">Conclusion&nbsp;</h2>



<p>Once Sotdas malware has achieved persistence and gathered information about the system&#8217;s CPU and memory. The malware can use this information to optimize its own resource usage and to start cryptomining. The malware could potentially use all available CPU resources to maximize its mining performance, while also monitoring the system&#8217;s CPU utilization to avoid detection.&nbsp;</p>



<p>Once the malware has established a cryptomining operation, it can continue to monitor the system&#8217;s CPU utilization to ensure that it remains undetected and to adjust its resource usage as needed. It may also periodically check the system&#8217;s memory usage to ensure that it has enough available memory to continue mining.&nbsp;&nbsp;</p>



<h2 id="detections" class="wp-block-heading">Detections</h2>



<ol start="1">
<li>Qualys Multivector EDR can easily scan and detect Sotdas malware since the platform is armed with advanced detections.&nbsp;&nbsp;</li>
</ol>



<figure class="wp-block-image size-full"><a data-fancybox href="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-10_Qualys-Multi-Vector-EDR-detects-Threat-name-as-Sotdas-malware.jpg"><img data-attachment-id="33158" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered/attachment/figure-10_qualys-multi-vector-edr-detects-threat-name-as-sotdas-malware" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-10_Qualys-Multi-Vector-EDR-detects-Threat-name-as-Sotdas-malware.jpg" data-orig-size="1707,918" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="Figure-10_Qualys-Multi-Vector-EDR-detects-Threat-name-as-Sotdas-malware" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-10_Qualys-Multi-Vector-EDR-detects-Threat-name-as-Sotdas-malware-300x161.jpg" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-10_Qualys-Multi-Vector-EDR-detects-Threat-name-as-Sotdas-malware-1070x575.jpg" decoding="async" loading="lazy" width="1707" height="918" src="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-10_Qualys-Multi-Vector-EDR-detects-Threat-name-as-Sotdas-malware.jpg" alt="" class="wp-image-33158" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-10_Qualys-Multi-Vector-EDR-detects-Threat-name-as-Sotdas-malware.jpg 1707w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-10_Qualys-Multi-Vector-EDR-detects-Threat-name-as-Sotdas-malware-300x161.jpg 300w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-10_Qualys-Multi-Vector-EDR-detects-Threat-name-as-Sotdas-malware-1070x575.jpg 1070w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-10_Qualys-Multi-Vector-EDR-detects-Threat-name-as-Sotdas-malware-768x413.jpg 768w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-10_Qualys-Multi-Vector-EDR-detects-Threat-name-as-Sotdas-malware-1536x826.jpg 1536w" sizes="(max-width: 1707px) 100vw, 1707px" /></a><figcaption class="wp-element-caption">Figure 10: Qualys Multi-Vector EDR detects Threat name as “Sotdas” malware&nbsp;</figcaption></figure>



<figure class="wp-block-image size-full"><a data-fancybox href="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-11_-Process-tree-detection-for-Sotdas-malware.jpg"><img data-attachment-id="33159" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered/attachment/figure-11_-process-tree-detection-for-sotdas-malware" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-11_-Process-tree-detection-for-Sotdas-malware.jpg" data-orig-size="1681,835" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="Figure-11_-Process-tree-detection-for-Sotdas-malware" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-11_-Process-tree-detection-for-Sotdas-malware-300x149.jpg" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-11_-Process-tree-detection-for-Sotdas-malware-1070x531.jpg" decoding="async" loading="lazy" width="1681" height="835" src="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-11_-Process-tree-detection-for-Sotdas-malware.jpg" alt="" class="wp-image-33159" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-11_-Process-tree-detection-for-Sotdas-malware.jpg 1681w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-11_-Process-tree-detection-for-Sotdas-malware-300x149.jpg 300w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-11_-Process-tree-detection-for-Sotdas-malware-1070x531.jpg 1070w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-11_-Process-tree-detection-for-Sotdas-malware-768x381.jpg 768w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-11_-Process-tree-detection-for-Sotdas-malware-1536x763.jpg 1536w" sizes="(max-width: 1681px) 100vw, 1681px" /></a><figcaption class="wp-element-caption">Figure 11: Process tree detection for Sotdas malware</figcaption></figure>



<p>    2. Sotdas malware copies itself to directories under init.d and rc.d to establish persistence</p>



<figure class="wp-block-image size-full"><a data-fancybox href="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-12_-EDR-detection-for-RC-scripts-–-rc.d.jpg"><img data-attachment-id="33161" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered/attachment/figure-12_-edr-detection-for-rc-scripts-rc-d" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-12_-EDR-detection-for-RC-scripts-–-rc.d.jpg" data-orig-size="1600,922" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="Figure-12_-EDR-detection-for-RC-scripts-–-rc.d" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-12_-EDR-detection-for-RC-scripts-–-rc.d-300x173.jpg" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-12_-EDR-detection-for-RC-scripts-–-rc.d-1070x617.jpg" decoding="async" loading="lazy" width="1600" height="922" src="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-12_-EDR-detection-for-RC-scripts-–-rc.d.jpg" alt="" class="wp-image-33161" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-12_-EDR-detection-for-RC-scripts-–-rc.d.jpg 1600w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-12_-EDR-detection-for-RC-scripts-–-rc.d-300x173.jpg 300w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-12_-EDR-detection-for-RC-scripts-–-rc.d-1070x617.jpg 1070w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-12_-EDR-detection-for-RC-scripts-–-rc.d-768x443.jpg 768w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-12_-EDR-detection-for-RC-scripts-–-rc.d-1536x885.jpg 1536w" sizes="(max-width: 1600px) 100vw, 1600px" /></a><figcaption class="wp-element-caption">Figure 12: EDR detection for RC scripts – rc.d</figcaption></figure>



<figure class="wp-block-image size-full"><a data-fancybox href="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-13_EDR-detection-for-RC-scripts-–-init.d.jpg"><img data-attachment-id="33162" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered/attachment/figure-13_edr-detection-for-rc-scripts-init-d" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-13_EDR-detection-for-RC-scripts-–-init.d.jpg" data-orig-size="1605,925" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="Figure-13_EDR-detection-for-RC-scripts-–-init.d" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-13_EDR-detection-for-RC-scripts-–-init.d-300x173.jpg" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-13_EDR-detection-for-RC-scripts-–-init.d-1070x617.jpg" decoding="async" loading="lazy" width="1605" height="925" src="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-13_EDR-detection-for-RC-scripts-–-init.d.jpg" alt="" class="wp-image-33162" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-13_EDR-detection-for-RC-scripts-–-init.d.jpg 1605w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-13_EDR-detection-for-RC-scripts-–-init.d-300x173.jpg 300w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-13_EDR-detection-for-RC-scripts-–-init.d-1070x617.jpg 1070w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-13_EDR-detection-for-RC-scripts-–-init.d-768x443.jpg 768w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-13_EDR-detection-for-RC-scripts-–-init.d-1536x885.jpg 1536w" sizes="(max-width: 1605px) 100vw, 1605px" /></a><figcaption class="wp-element-caption">Figure 13: EDR detection for RC scripts – init.d</figcaption></figure>



<p>   3. Sotdas deleted its files and components from a compromised host using rm command</p>



<figure class="wp-block-image size-full"><a data-fancybox href="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-14_EDR-detection-for-File-removal.jpg"><img data-attachment-id="33163" data-permalink="https://blog.qualys.com/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered/attachment/figure-14_edr-detection-for-file-removal" data-orig-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-14_EDR-detection-for-File-removal.jpg" data-orig-size="1606,898" data-comments-opened="1" data-image-meta="{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}" data-image-title="Figure-14_EDR-detection-for-File-removal" data-image-description="" data-image-caption="" data-medium-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-14_EDR-detection-for-File-removal-300x168.jpg" data-large-file="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-14_EDR-detection-for-File-removal-1070x598.jpg" decoding="async" loading="lazy" width="1606" height="898" src="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-14_EDR-detection-for-File-removal.jpg" alt="" class="wp-image-33163" srcset="https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-14_EDR-detection-for-File-removal.jpg 1606w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-14_EDR-detection-for-File-removal-300x168.jpg 300w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-14_EDR-detection-for-File-removal-1070x598.jpg 1070w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-14_EDR-detection-for-File-removal-768x429.jpg 768w, https://ik.imagekit.io/qualys/wp-content/uploads/2023/05/Figure-14_EDR-detection-for-File-removal-1536x859.jpg 1536w" sizes="(max-width: 1606px) 100vw, 1606px" /></a><figcaption class="wp-element-caption">Figure 14: EDR detection for File removal</figcaption></figure>



<h2 id="hashes" class="wp-block-heading">Hashes</h2>



<ul>
<li>MD5: 31d5a627bcc63682c43e6e8c785c4d57&nbsp;</li>



<li>SHA-1: 019baa5eeec142d143fce17694c47bc40ce3122d&nbsp;</li>



<li>SHA-256: f7a8eb6dda1d15bead43d94df0bcfdd2a7dccab0eb06c89e5e85034561f60563&nbsp;</li>



<li>File name: .iamgood&nbsp;</li>
</ul>



<h2 id="domain" class="wp-block-heading">Domain </h2>



<ul>
<li>sockt.best&nbsp;</li>
</ul>



<h2 id="directories" class="wp-block-heading">Directories</h2>



<ul>
<li>/etc/rc2.d/&nbsp;&nbsp;</li>



<li>/etc/rc3.d/&nbsp;&nbsp;</li>



<li>/etc/rc4.d/&nbsp;</li>



<li>/etc/rc5.d/</li>



<li>/etc/init.d&nbsp;</li>



<li>/tmp/&nbsp;</li>
</ul>



<h2 id="mitre-attck-techniques" class="wp-block-heading">MITRE ATT&amp;CK Techniques</h2>



<ul>
<li>T1037.004 &#8211; Boot or Logon Initialization Scripts: RC Scripts</li>



<li>T1543.002 &#8211; Create or Modify System Process: Systemd Service&nbsp;</li>



<li>T1036 &#8211; Masquerading: Match Legitimate Name or Location&nbsp;</li>



<li>T1070.004 &#8211; Indicator Removal: File Deletion&nbsp;</li>



<li>T1222 &#8211; File and Directory Permissions Modification&nbsp;</li>



<li>T1564.001 &#8211; Hide Artifacts: Hidden Files and Directories&nbsp;</li>



<li>T1082 &#8211; System Information Discovery&nbsp;</li>



<li>T1057 &#8211; Process Discovery&nbsp;</li>



<li>T1071.004 &#8211; Application Layer Protocol: DNS&nbsp;</li>
</ul>

<div id='jp-relatedposts' class='jp-relatedposts' >
	<h3 class="jp-relatedposts-headline"><em>Related</em></h3>
</div>		</div>
	</div>

	<footer class="entry-footer">
		<div class='q-single-post__footer-content'>
						<div class='q-single-post__footer-author'>
							<div class='q-post__entry-avatar'>
								<img src='https://secure.gravatar.com/avatar/afb3cedd4e370f6368f7f3fd9f4abcda?s=180&#038;d=mm&#038;r=g' width='90' alt='Viren Chaudhari' />
							</div>
							<div class='q-post__entry-author'>
								<div class='q-post__entry-writtenby'>Written by</div>
								<span class="byline"> <span class="author vcard"><a class="url fn n" href="https://blog.qualys.com/author/vchaudhari">Viren Chaudhari</a></span></span>
								<div class='q-post__entry-author-email'>Write to Viren at <a href='mailto:vchaudhari@qualys.com'>vchaudhari@qualys.com</a></div>
							</div>
						</div>
						<div class='q-single-post__footer-actions'>
							<div class='q-single-post__action'><label>Like</label><div class='likebutton likebutton_json' data-postid='33129' data-style='style2'></div></div>
							<div class="q-single-post__action"><label>Share</label><div class="ShariffSC" style="border-top: 1px solid #ddd; border-top: 1px solid rgba(0,0,0,.2); padding-top: 2em;"><div class="shariff shariff-align-flex-start shariff-widget-align-flex-start" style="display:none"><ul class="shariff-buttons theme-round orientation-horizontal buttonsize-medium"><li class="shariff-button linkedin" style="background-color:#97A0AF"><a href="https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fblog.qualys.com%2Fvulnerabilities-threat-research%2F2023%2F05%2F17%2Fnew-strain-of-sotdas-malware-discovered" title="Share on LinkedIn" aria-label="Share on LinkedIn" role="button" rel="noopener nofollow" class="shariff-link" style="; background-color:#6A778B; color:#fff" target="_blank"><span class="shariff-icon" style=""><svg width="32px" height="20px" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 27 32"><path fill="#0077b5" d="M6.2 11.2v17.7h-5.9v-17.7h5.9zM6.6 5.7q0 1.3-0.9 2.2t-2.4 0.9h0q-1.5 0-2.4-0.9t-0.9-2.2 0.9-2.2 2.4-0.9 2.4 0.9 0.9 2.2zM27.4 18.7v10.1h-5.9v-9.5q0-1.9-0.7-2.9t-2.3-1.1q-1.1 0-1.9 0.6t-1.2 1.5q-0.2 0.5-0.2 1.4v9.9h-5.9q0-7.1 0-11.6t0-5.3l0-0.9h5.9v2.6h0q0.4-0.6 0.7-1t1-0.9 1.6-0.8 2-0.3q3 0 4.9 2t1.9 6z"/></svg></span></a></li><li class="shariff-button facebook" style="background-color:#97A0AF"><a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fblog.qualys.com%2Fvulnerabilities-threat-research%2F2023%2F05%2F17%2Fnew-strain-of-sotdas-malware-discovered" title="Share on Facebook" aria-label="Share on Facebook" role="button" rel="nofollow" class="shariff-link" style="; background-color:#6A778B; color:#fff" target="_blank"><span class="shariff-icon" style=""><svg width="32px" height="20px" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 18 32"><path fill="#3b5998" d="M17.1 0.2v4.7h-2.8q-1.5 0-2.1 0.6t-0.5 1.9v3.4h5.2l-0.7 5.3h-4.5v13.6h-5.5v-13.6h-4.5v-5.3h4.5v-3.9q0-3.3 1.9-5.2t5-1.8q2.6 0 4.1 0.2z"/></svg></span></a></li><li class="shariff-button twitter" style="background-color:#97A0AF"><a href="https://twitter.com/share?url=https%3A%2F%2Fblog.qualys.com%2Fvulnerabilities-threat-research%2F2023%2F05%2F17%2Fnew-strain-of-sotdas-malware-discovered&text=New%20Strain%20of%20Sotdas%20Malware%20Discovered&via=qualys" title="Share on Twitter" aria-label="Share on Twitter" role="button" rel="noopener nofollow" class="shariff-link" style="; background-color:#6A778B; color:#fff" target="_blank"><span class="shariff-icon" style=""><svg width="32px" height="20px" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 30 32"><path fill="#55acee" d="M29.7 6.8q-1.2 1.8-3 3.1 0 0.3 0 0.8 0 2.5-0.7 4.9t-2.2 4.7-3.5 4-4.9 2.8-6.1 1q-5.1 0-9.3-2.7 0.6 0.1 1.5 0.1 4.3 0 7.6-2.6-2-0.1-3.5-1.2t-2.2-3q0.6 0.1 1.1 0.1 0.8 0 1.6-0.2-2.1-0.4-3.5-2.1t-1.4-3.9v-0.1q1.3 0.7 2.8 0.8-1.2-0.8-2-2.2t-0.7-2.9q0-1.7 0.8-3.1 2.3 2.8 5.5 4.5t7 1.9q-0.2-0.7-0.2-1.4 0-2.5 1.8-4.3t4.3-1.8q2.7 0 4.5 1.9 2.1-0.4 3.9-1.5-0.7 2.2-2.7 3.4 1.8-0.2 3.5-0.9z"/></svg></span></a></li><li class="shariff-button mailto" style="background-color:#97A0AF"><a href="mailto:?body=https%3A%2F%2Fblog.qualys.com%2Fvulnerabilities-threat-research%2F2023%2F05%2F17%2Fnew-strain-of-sotdas-malware-discovered&subject=New%20Strain%20of%20Sotdas%20Malware%20Discovered" title="Send by email" aria-label="Send by email" role="button" rel="noopener nofollow" class="shariff-link" style="; background-color:#6A778B; color:#fff"><span class="shariff-icon" style=""><svg width="32px" height="20px" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32"><path fill="#999" d="M32 12.7v14.2q0 1.2-0.8 2t-2 0.9h-26.3q-1.2 0-2-0.9t-0.8-2v-14.2q0.8 0.9 1.8 1.6 6.5 4.4 8.9 6.1 1 0.8 1.6 1.2t1.7 0.9 2 0.4h0.1q0.9 0 2-0.4t1.7-0.9 1.6-1.2q3-2.2 8.9-6.1 1-0.7 1.8-1.6zM32 7.4q0 1.4-0.9 2.7t-2.2 2.2q-6.7 4.7-8.4 5.8-0.2 0.1-0.7 0.5t-1 0.7-0.9 0.6-1.1 0.5-0.9 0.2h-0.1q-0.4 0-0.9-0.2t-1.1-0.5-0.9-0.6-1-0.7-0.7-0.5q-1.6-1.1-4.7-3.2t-3.6-2.6q-1.1-0.7-2.1-2t-1-2.5q0-1.4 0.7-2.3t2.1-0.9h26.3q1.2 0 2 0.8t0.9 2z"/></svg></span></a></li></ul></div></div></div>
						</div>
					</div>
					<div class='q-post__tags-wrapper'>
						<div class='q-post__tags-container'>
							<h5>Related content</h5>
							<div class='q-post__tags-list'>
							<a href="https://blog.qualys.com/tag/malware" rel="tag">malware</a>, <a href="https://blog.qualys.com/tag/vulnerabilities" rel="tag">vulnerabilities</a>
							</div>
						</div>
					</div>	</footer>
</article>

<div class="q-comments__show-button js-q-comments-button">
	<span class='text'>Share your Comments</span> <span class='arrow-icon'><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 23 14"><path fill="#FFF" d="M20.469.409l2.122 2.122-11.061 11.06L.469 2.531 2.591.409l8.939 8.94z"/></svg></span></div>
<div id="comments" class="comments-area">

		<div id="respond" class="comment-respond">
		<h3 id="reply-title" class="comment-reply-title">Comments <small><a rel="nofollow" id="cancel-comment-reply-link" href="/vulnerabilities-threat-research/2023/05/17/new-strain-of-sotdas-malware-discovered#respond" style="display:none;">Cancel reply</a></small></h3><form action="https://blog.qualys.com/wp-comments-post.php?wpe-comment-post=qualysblog" method="post" id="commentform" class="comment-form" novalidate><p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> <span class="required-field-message">Required fields are marked <span class="required">*</span></span></p><p class="comment-form-comment"><label for="comment">Comment</label><textarea id="comment" name="comment" cols="45" rows="6" minlength="10" placeholder="Share your thoughts" aria-required="true" required></textarea></p><div class="field-wrapper"><p class="comment-form-author"><label for="author">Name</label><input id="author" name="author" type="text" placeholder="Name" value="" size="20" minlength="4" required /></p>
<p class="comment-form-email"><label for="email">Email</label><input id="email" name="email" type="email" placeholder="Email" value="" size="30" required /></p></div>

<p class="comment-form-cookies-consent"><input id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes" /> <label for="wp-comment-cookies-consent">Save my name, email, and website in this browser for the next time I comment.</label></p>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="POST" /> <input type='hidden' name='comment_post_ID' value='33129' id='comment_post_ID' />
<input type='hidden' name='comment_parent' id='comment_parent' value='0' />
</p><p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="8e744ad1a8" /></p><p style="display: none !important;"><label>&#916;<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="184"/><script>document.getElementById( "ak_js_1" ).setAttribute( "value", ( new Date() ).getTime() );</script></p></form>	</div><!-- #respond -->
	
</div><!-- #comments -->

	</main><!-- #main -->


</div><!-- .q-main_content-container -->
</div><!-- #page -->

<footer id="colophon" class="site-footer q-footer">
	<div class="q-footer__container">
		<div class="q-footer__row">

			<div class="q-footer__column--wide q-footer__column--desktop">
				<h2 class="q-footer__heading">
					Join the <span class="nowrap">discussion today!</span>
				</h2>
				<p class="q-footer__copy">
					<strong>Learn</strong> more about Qualys and industry best practices.
				</p>
				<p class="q-footer__copy">
					<strong>Share</strong> what you know and build a reputation.
				</p>
				<p class="q-footer__copy">
					<strong>Secure</strong> your systems and improve security for everyone.
				</p>
				<div class="q-footer__search">
					<span class="q-button__start-a-discussion q-button__light-blue q-button-with-arrow">
						<a href="https://discussions.qualys.com/discussion/create!input.jspa">
							<span>Start a discussion</span>
						</a>
					</span>
				</div>

				<div class="q-footer__social">
					<ul id="social-menu" class="q-social-list"><li id="menu-item-26477" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26477"><a target="_blank" rel="noopener" href="https://twitter.com/qualys"><svg class="q-social-list__icon" role="img" aria-label="Qualys on Twitter" width="20" height="20" xmlns="http://www.w3.org/2000/svg" viewBox="0 148.7 610.7 496.3" enable-background="new 0 148.7 610.7 496.3"><title>Twitter</title><path fill="#FFF" d="M192.1 645c-70.8 0-136.7-20.7-192.1-56.2 9.8 1.1 19.9 1.8 29.9 1.8 58.7 0 112.8-20.1 155.7-53.6-54.7-1.1-101.2-37.3-117-87.1 7.6 1.6 15.4 2.2 23.7 2.2 11.4 0 22.6-1.6 33.1-4.5-57.5-11.6-100.6-62.1-100.6-122.9v-1.6c17 9.4 36.2 15 56.7 15.6-33.5-22.4-55.8-60.6-55.8-104.2 0-23 6.3-44.4 17-63 61.6 75.9 153.9 126 258 131.1-2.2-9.2-3.4-18.8-3.4-28.6 0-69.2 56.1-125.3 125.3-125.3 36 0 68.6 15.2 91.4 39.5 28.8-5.6 55.6-15.9 79.7-30.4-9.4 29.3-29 53.8-54.9 69.5 25.2-3.1 49.6-9.8 71.9-19.7-16.8 25-38 47.1-62.5 64.8.2 5.4.4 10.7.4 16.3 0 165.4-126.2 356.3-356.5 356.3"></path></svg></a></li>
<li id="menu-item-26478" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26478"><a target="_blank" rel="noopener" href="https://www.linkedin.com/company/qualys"><svg class="q-social-list__icon" role="img" aria-label="Qualys on LinkedIn" width="16" height="16" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 36 36" enable-background="new 0 0 36 36"><title>LinkedIn</title><path fill="#FFF" d="M33.3 0h-30.6c-1.5 0-2.7 1.2-2.7 2.6v30.8c0 1.4 1.2 2.6 2.7 2.6h30.7c1.5 0 2.7-1.2 2.7-2.6v-30.8c-.1-1.4-1.3-2.6-2.8-2.6zm-22.6 30.7h-5.4v-17.2h5.3v17.2zm-2.7-19.6c-1.7 0-3.1-1.4-3.1-3.1 0-1.7 1.4-3 3.1-3 1.7 0 3.1 1.4 3.1 3.1 0 1.7-1.4 3-3.1 3zm22.7 19.6h-5.3v-8.4c0-2 0-4.6-2.8-4.6s-3.2 2.2-3.2 4.4v8.5h-5.4v-17.1h5.1v2.3h.1c.7-1.4 2.5-2.8 5.1-2.8 5.4 0 6.4 3.6 6.4 8.2v9.5z"></path></svg></a></li>
<li id="menu-item-26479" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26479"><a target="_blank" rel="noopener" href="https://www.facebook.com/qualys"><svg class="q-social-list__icon" role="img" aria-label="Qualys on Facebook" width="16" height="16" xmlns="http://www.w3.org/2000/svg" viewBox="0 90 611.8 612.2" enable-background="new 0 90 611.8 612.2"><title>Facebook</title><path fill="#FFF" d="M578.3 90h-544.6c-18.6 0-33.7 15.1-33.7 33.7v544.4c0 18.6 15.1 33.7 33.7 33.7h293v-236.9h-79.7v-92.4h79.8v-67.9c0-79.1 48.4-122 118.8-122 33.7 0 62.8 2.5 71.3 3.7v82.5h-48.9c-38.3 0-45.9 18.1-45.9 44.9v58.9h91.5l-11.9 92.4h-79.6v237.1h155.9c18.6 0 33.7-15.1 33.7-33.7v-544.7c.3-18.6-14.8-33.7-33.4-33.7z"></path></svg></a></li>
<li id="menu-item-26480" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26480"><a target="_blank" rel="noopener" href="https://www.youtube.com/user/QualysGuard"><svg class="q-social-list__icon" role="img" aria-label="Qualys on YouTube" width="22" height="22" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 1021.5 718.4" enable-background="new 0 0 1021.5 718.4"><title>YouTube</title><path fill="#E0E0E0" d="M647.3 366.3l-242.1-161.6 276 144-33.9 17.6"></path><path fill="#FFF" d="M1011.2 155s-10-70.4-40.6-101.4c-38.8-40.7-82.4-40.9-102.3-43.3-142.9-10.3-357.4-10.3-357.4-10.3h-.4s-214.4 0-357.4 10.3c-20 2.4-63.5 2.6-102.3 43.3-30.6 31-40.6 101.4-40.6 101.4s-10.2 82.6-10.2 165.3v77.5c0 82.7 10.2 165.3 10.2 165.3s10 70.4 40.6 101.4c38.9 40.7 89.9 39.4 112.6 43.7 81.7 7.8 347.3 10.3 347.3 10.3s214.6-.3 357.6-10.7c20-2.4 63.5-2.6 102.3-43.3 30.6-31 40.6-101.4 40.6-101.4s10.2-82.7 10.2-165.3v-77.5c.1-82.7-10.2-165.3-10.2-165.3m-605.9 336.7v-287l276 144-276 143z"></path></svg></a></li>
<li id="menu-item-26481" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26481"><a target="_blank" rel="noopener" href="https://vimeo.com/qualys"><svg class="q-social-list__icon" role="img" aria-label="Qualys on Vimeo" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 86.67"><title>Vimeo</title><path fill="#FFF" d="M100 20.05q-.72 14.63-20.44 40.06Q59.16 86.67 45 86.67q-8.74 0-14.79-16.17l-8.02-29.66q-4.49-16.17-9.64-16.18-1.12 0-7.85 4.72L0 23.31q7.4-6.52 14.59-13 9.87-8.55 14.82-9 11.67-1.12 14.37 16 2.91 18.47 4 23 3.36 15.32 7.41 15.31 3.14 0 9.43-9.94t6.73-15.13q.9-8.58-6.73-8.58a18.7 18.7 0 0 0-7.4 1.64Q64.63-.66 85.42 0 100.84.47 100 20.05z"></path></svg></a></li>
</ul>				</div>

			</div>
			<div class="q-footer__column q-footer__column--nav">

				<section id="nav_menu-2" class="widget widget_nav_menu q-footer__group"><h3 class="widget-title q-footer__subheading">Qualys</h3><div class="menu-footer-qualys-container"><ul id="menu-footer-qualys" class="menu"><li id="menu-item-26499" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26499"><a title="Information Security and Compliance | Qualys, Inc." href="https://www.qualys.com/">Qualys.com</a></li>
<li id="menu-item-26500" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26500"><a title="Free Trial | Qualys, Inc." href="https://www.qualys.com/community-edition/">Qualys Community Edition</a></li>
<li id="menu-item-26565" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26565"><a href="https://store.qualys.com/">Qualys Merchandise Store</a></li>
</ul></div></section><section id="nav_menu-3" class="widget widget_nav_menu q-footer__group"><h3 class="widget-title q-footer__subheading">Qualys Communities</h3><div class="menu-footer-qualys-communities-container"><ul id="menu-footer-qualys-communities" class="menu"><li id="menu-item-26501" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26501"><a href="https://community.qualys.com/vulnerability-management/">Vulnerability Management</a></li>
<li id="menu-item-26502" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26502"><a href="https://community.qualys.com/policy-compliance/">Policy Compliance</a></li>
<li id="menu-item-26503" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26503"><a href="https://community.qualys.com/pci-compliance/">PCI Compliance</a></li>
<li id="menu-item-26504" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26504"><a href="https://community.qualys.com/web-app-scanning/">Web App Scanning</a></li>
<li id="menu-item-26505" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26505"><a href="https://community.qualys.com/web-app-firewall/">Web App Firewall</a></li>
<li id="menu-item-26506" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26506"><a href="https://community.qualys.com/continuous-monitoring/">Continuous Monitoring</a></li>
<li id="menu-item-26507" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26507"><a href="https://community.qualys.com/security-assessment-questionnaire/">Security Assessment Questionnaire</a></li>
<li id="menu-item-26508" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26508"><a href="https://community.qualys.com/threat-protection/">Threat Protection</a></li>
<li id="menu-item-26509" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26509"><a href="https://community.qualys.com/asset-inventory/">Asset Inventory</a></li>
<li id="menu-item-26510" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26510"><a href="https://community.qualys.com/asset-view/">AssetView</a></li>
<li id="menu-item-26511" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26511"><a href="https://community.qualys.com/cmdb-sync/">CMDB Sync</a></li>
<li id="menu-item-26512" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26512"><a href="https://community.qualys.com/endpoint-detection-response/">Endpoint Detection &#038; Response</a></li>
<li id="menu-item-26513" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26513"><a href="https://community.qualys.com/security-configuration-assessment/">Security Configuration Assessment</a></li>
<li id="menu-item-26514" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26514"><a href="https://community.qualys.com/file-integrity-monitoring/">File Integrity Monitoring</a></li>
<li id="menu-item-26515" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26515"><a href="https://community.qualys.com/cloud-inventory/">Cloud Inventory</a></li>
<li id="menu-item-26516" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26516"><a href="https://community.qualys.com/certificate-inventory/">Certificate Inventory</a></li>
<li id="menu-item-26517" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26517"><a href="https://community.qualys.com/container-security/">Container Security</a></li>
<li id="menu-item-26518" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26518"><a href="https://community.qualys.com/cloud-security-assessment/">Cloud Security Assessment</a></li>
<li id="menu-item-26519" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26519"><a href="https://community.qualys.com/certificate-assessment/">Certificate Assessment</a></li>
<li id="menu-item-26520" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26520"><a href="https://community.qualys.com/out-of-band-configuration-assessment/">Out-of-band Configuration Assessment</a></li>
<li id="menu-item-26521" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26521"><a href="https://community.qualys.com/patch-management/">Patch Management</a></li>
<li id="menu-item-26522" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26522"><a href="https://community.qualys.com/api/">Developer API</a></li>
<li id="menu-item-26523" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26523"><a href="https://community.qualys.com/cloud-agent/">Cloud Agent</a></li>
<li id="menu-item-26524" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26524"><a href="https://community.qualys.com/reporting/">Dashboards &#038; Reporting</a></li>
</ul></div></section><section id="nav_menu-4" class="widget widget_nav_menu q-footer__group"><h3 class="widget-title q-footer__subheading">Discussions</h3><div class="menu-footer-discussions-container"><ul id="menu-footer-discussions" class="menu"><li id="menu-item-26489" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26489"><a href="https://discussions.qualys.com/">All discussions</a></li>
<li id="menu-item-26490" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26490"><a href="https://discussions.qualys.com/community/asset-inventory">Global IT Asset Management</a></li>
<li id="menu-item-26491" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26491"><a href="https://discussions.qualys.com/community/vulnerability-management">IT Security</a></li>
<li id="menu-item-26492" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26492"><a href="https://discussions.qualys.com/community/policy-compliance">Compliance</a></li>
<li id="menu-item-26493" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26493"><a href="https://discussions.qualys.com/community/cloud-security">Cloud &#038; Container Security</a></li>
<li id="menu-item-26494" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26494"><a href="https://discussions.qualys.com/community/web-application-scanning">Web App Security</a></li>
<li id="menu-item-26495" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26495"><a href="https://discussions.qualys.com/community/ssllabs">Certificate Security &#038; SSL Labs</a></li>
<li id="menu-item-26496" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26496"><a href="https://discussions.qualys.com/community/developer">Developer API</a></li>
</ul></div></section><section id="nav_menu-5" class="widget widget_nav_menu q-footer__group"><h3 class="widget-title q-footer__subheading">Blog</h3><div class="menu-footer-blog-container"><ul id="menu-footer-blog" class="menu"><li id="menu-item-26483" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-home menu-item-26483"><a href="https://blog.qualys.com/">All posts</a></li>
<li id="menu-item-26484" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26484"><a href="https://blog.qualys.com/qualys-insights">Qualys Insights</a></li>
<li id="menu-item-26485" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26485"><a href="https://blog.qualys.com/product-tech">Product and Tech</a></li>
<li id="menu-item-26486" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26486"><a href="https://blog.qualys.com/vulnerabilities-threat-research">Vulnerabilities and Threat Research</a></li>
<li id="menu-item-26487" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26487"><a href="https://notifications.qualys.com/">Release Notifications</a></li>
</ul></div></section><section id="nav_menu-6" class="widget widget_nav_menu q-footer__group"><h3 class="widget-title q-footer__subheading">Training</h3><div class="menu-footer-training-container"><ul id="menu-footer-training" class="menu"><li id="menu-item-26526" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26526"><a href="https://www.qualys.com/training/">Overview</a></li>
<li id="menu-item-26527" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26527"><a href="https://www.qualys.com/training/#self-paced">Certified Courses</a></li>
<li id="menu-item-26528" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26528"><a href="https://www.qualys.com/training/#video-library">Video Library</a></li>
<li id="menu-item-26529" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26529"><a href="https://www.qualys.com/training/#instructor-led">Instructor-led Training</a></li>
</ul></div></section><section id="nav_menu-7" class="widget widget_nav_menu q-footer__group"><h3 class="widget-title q-footer__subheading">Docs</h3><div class="menu-footer-docs-container"><ul id="menu-footer-docs" class="menu"><li id="menu-item-26497" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26497"><a href="https://www.qualys.com/documentation/">Overview</a></li>
<li id="menu-item-26498" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26498"><a href="https://www.qualys.com/documentation/release-notes/">Release Notes</a></li>
</ul></div></section><section id="nav_menu-8" class="widget widget_nav_menu q-footer__group"><h3 class="widget-title q-footer__subheading">Support</h3><div class="menu-footer-support-container"><ul id="menu-footer-support" class="menu"><li id="menu-item-26525" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-26525"><a href="https://qualys-secure.force.com/customer/s/">Support Portal</a></li>
</ul></div></section>
			</div>

		</div>
		<div class="q-footer__row">

			<small class="q-footer__copyright">© 2023 Qualys, Inc. All rights reserved. <a href="https://www.qualys.com/company/privacy/"><span style="white-space: nowrap;">Privacy Policy</span></a></small>

		</div>
	</div>
</footer><!-- #colophon -->

<div class='q-goto-top-btn js-goto-top-single'><span><svg viewBox="0 0 16 22" xmlns="http://www.w3.org/2000/svg"><path d="m8.56934246 21.55c-.18206438.2813776-.49435704.451275-.8295.451275-.33514295 0-.64743561-.1698974-.8295-.451275l-6.771-10.808c-.387-.616.078-1.401.83-1.401h5.668l-.003-8.415c0-.51.495-.926 1.106-.926.542 0 .995.328 1.088.759l.017.167.003 8.415h5.66100004c.693 0 1.14.66.912 1.245l-.08.156zm.279-4.041 3.95800004-6.316h-3.96000004v6.316zm-2.212.004v-6.32h-3.959l3.957 6.32z" transform="matrix(1 0 0 -1 .000658 22.001274)"/></svg></span></div>		<div id="jp-carousel-loading-overlay">
			<div id="jp-carousel-loading-wrapper">
				<span id="jp-carousel-library-loading">&nbsp;</span>
			</div>
		</div>
		<div class="jp-carousel-overlay" style="display: none;">

		<div class="jp-carousel-container">
			<!-- The Carousel Swiper -->
			<div
				class="jp-carousel-wrap swiper-container jp-carousel-swiper-container jp-carousel-transitions"
				itemscope
				itemtype="https://schema.org/ImageGallery">
				<div class="jp-carousel swiper-wrapper"></div>
				<div class="jp-swiper-button-prev swiper-button-prev">
					<svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg">
						<mask id="maskPrev" mask-type="alpha" maskUnits="userSpaceOnUse" x="8" y="6" width="9" height="12">
							<path d="M16.2072 16.59L11.6496 12L16.2072 7.41L14.8041 6L8.8335 12L14.8041 18L16.2072 16.59Z" fill="white"/>
						</mask>
						<g mask="url(#maskPrev)">
							<rect x="0.579102" width="23.8823" height="24" fill="#FFFFFF"/>
						</g>
					</svg>
				</div>
				<div class="jp-swiper-button-next swiper-button-next">
					<svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg">
						<mask id="maskNext" mask-type="alpha" maskUnits="userSpaceOnUse" x="8" y="6" width="8" height="12">
							<path d="M8.59814 16.59L13.1557 12L8.59814 7.41L10.0012 6L15.9718 12L10.0012 18L8.59814 16.59Z" fill="white"/>
						</mask>
						<g mask="url(#maskNext)">
							<rect x="0.34375" width="23.8822" height="24" fill="#FFFFFF"/>
						</g>
					</svg>
				</div>
			</div>
			<!-- The main close buton -->
			<div class="jp-carousel-close-hint">
				<svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg">
					<mask id="maskClose" mask-type="alpha" maskUnits="userSpaceOnUse" x="5" y="5" width="15" height="14">
						<path d="M19.3166 6.41L17.9135 5L12.3509 10.59L6.78834 5L5.38525 6.41L10.9478 12L5.38525 17.59L6.78834 19L12.3509 13.41L17.9135 19L19.3166 17.59L13.754 12L19.3166 6.41Z" fill="white"/>
					</mask>
					<g mask="url(#maskClose)">
						<rect x="0.409668" width="23.8823" height="24" fill="#FFFFFF"/>
					</g>
				</svg>
			</div>
			<!-- Image info, comments and meta -->
			<div class="jp-carousel-info">
				<div class="jp-carousel-info-footer">
					<div class="jp-carousel-pagination-container">
						<div class="jp-swiper-pagination swiper-pagination"></div>
						<div class="jp-carousel-pagination"></div>
					</div>
					<div class="jp-carousel-photo-title-container">
						<h2 class="jp-carousel-photo-caption"></h2>
					</div>
					<div class="jp-carousel-photo-icons-container">
						<a href="#" class="jp-carousel-icon-btn jp-carousel-icon-info" aria-label="Toggle photo metadata visibility">
							<span class="jp-carousel-icon">
								<svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg">
									<mask id="maskInfo" mask-type="alpha" maskUnits="userSpaceOnUse" x="2" y="2" width="21" height="20">
										<path fill-rule="evenodd" clip-rule="evenodd" d="M12.7537 2C7.26076 2 2.80273 6.48 2.80273 12C2.80273 17.52 7.26076 22 12.7537 22C18.2466 22 22.7046 17.52 22.7046 12C22.7046 6.48 18.2466 2 12.7537 2ZM11.7586 7V9H13.7488V7H11.7586ZM11.7586 11V17H13.7488V11H11.7586ZM4.79292 12C4.79292 16.41 8.36531 20 12.7537 20C17.142 20 20.7144 16.41 20.7144 12C20.7144 7.59 17.142 4 12.7537 4C8.36531 4 4.79292 7.59 4.79292 12Z" fill="white"/>
									</mask>
									<g mask="url(#maskInfo)">
										<rect x="0.8125" width="23.8823" height="24" fill="#FFFFFF"/>
									</g>
								</svg>
							</span>
						</a>
												<a href="#" class="jp-carousel-icon-btn jp-carousel-icon-comments" aria-label="Toggle photo comments visibility">
							<span class="jp-carousel-icon">
								<svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg">
									<mask id="maskComments" mask-type="alpha" maskUnits="userSpaceOnUse" x="2" y="2" width="21" height="20">
										<path fill-rule="evenodd" clip-rule="evenodd" d="M4.3271 2H20.2486C21.3432 2 22.2388 2.9 22.2388 4V16C22.2388 17.1 21.3432 18 20.2486 18H6.31729L2.33691 22V4C2.33691 2.9 3.2325 2 4.3271 2ZM6.31729 16H20.2486V4H4.3271V18L6.31729 16Z" fill="white"/>
									</mask>
									<g mask="url(#maskComments)">
										<rect x="0.34668" width="23.8823" height="24" fill="#FFFFFF"/>
									</g>
								</svg>

								<span class="jp-carousel-has-comments-indicator" aria-label="This image has comments."></span>
							</span>
						</a>
											</div>
				</div>
				<div class="jp-carousel-info-extra">
					<div class="jp-carousel-info-content-wrapper">
						<div class="jp-carousel-photo-title-container">
							<h2 class="jp-carousel-photo-title"></h2>
						</div>
						<div class="jp-carousel-comments-wrapper">
															<div id="jp-carousel-comments-loading">
									<span>Loading Comments...</span>
								</div>
								<div class="jp-carousel-comments"></div>
								<div id="jp-carousel-comment-form-container">
									<span id="jp-carousel-comment-form-spinner">&nbsp;</span>
									<div id="jp-carousel-comment-post-results"></div>
																														<form id="jp-carousel-comment-form">
												<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
												<textarea
													name="comment"
													class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea"
													id="jp-carousel-comment-form-comment-field"
													placeholder="Write a Comment..."
												></textarea>
												<div id="jp-carousel-comment-form-submit-and-info-wrapper">
													<div id="jp-carousel-comment-form-commenting-as">
																													<fieldset>
																<label for="jp-carousel-comment-form-email-field">Email (Required)</label>
																<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field" />
															</fieldset>
															<fieldset>
																<label for="jp-carousel-comment-form-author-field">Name (Required)</label>
																<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field" />
															</fieldset>
															<fieldset>
																<label for="jp-carousel-comment-form-url-field">Website</label>
																<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field" />
															</fieldset>
																											</div>
													<input
														type="submit"
														name="submit"
														class="jp-carousel-comment-form-button"
														id="jp-carousel-comment-form-button-submit"
														value="Post Comment" />
												</div>
											</form>
																											</div>
													</div>
						<div class="jp-carousel-image-meta">
							<div class="jp-carousel-title-and-caption">
								<div class="jp-carousel-photo-info">
									<h3 class="jp-carousel-caption" itemprop="caption description"></h3>
								</div>

								<div class="jp-carousel-photo-description"></div>
							</div>
							<ul class="jp-carousel-image-exif" style="display: none;"></ul>
							<a class="jp-carousel-image-download" target="_blank" style="display: none;">
								<svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg">
									<mask id="mask0" mask-type="alpha" maskUnits="userSpaceOnUse" x="3" y="3" width="19" height="18">
										<path fill-rule="evenodd" clip-rule="evenodd" d="M5.84615 5V19H19.7775V12H21.7677V19C21.7677 20.1 20.8721 21 19.7775 21H5.84615C4.74159 21 3.85596 20.1 3.85596 19V5C3.85596 3.9 4.74159 3 5.84615 3H12.8118V5H5.84615ZM14.802 5V3H21.7677V10H19.7775V6.41L9.99569 16.24L8.59261 14.83L18.3744 5H14.802Z" fill="white"/>
									</mask>
									<g mask="url(#mask0)">
										<rect x="0.870605" width="23.8823" height="24" fill="#FFFFFF"/>
									</g>
								</svg>
								<span class="jp-carousel-download-text"></span>
							</a>
							<div class="jp-carousel-image-map" style="display: none;"></div>
						</div>
					</div>
				</div>
			</div>
		</div>

		</div>
		<link rel='stylesheet' id='shariffcss-css' href='https://ik.imagekit.io/qualys/wp-content/plugins/shariff/css/shariff.min.css?ver=4.6.9' media='all' />
<script src='https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.1/jquery.min.js' id='jquery-js' integrity='sha512-bLT0Qm9VnAYZDflyKcBaQ2gg0hSYNQrJ8RilYldYQ1FxQYoCLtUjuuRuZo+fjqhx/qtq/1itJ0C2ejDxltZVFg==' crossorigin='anonymous' referrerpolicy='no-referrer'></script>
<script src='https://cdnjs.cloudflare.com/ajax/libs/jquery-migrate/3.3.2/jquery-migrate.min.js' id='jquery-migrate-js' integrity='sha512-3fMsI1vtU2e/tVxZORSEeuMhXnT9By80xlmXlsOku7hNwZSHJjwcOBpmy+uu+fyWwGCLkMvdVbHkeoXdAzBv+w==' crossorigin='anonymous' referrerpolicy='no-referrer'></script>
<script src='https://ik.imagekit.io/qualys/wp-includes/js/underscore.min.js?ver=1.13.4' id='underscore-js'></script>
<script src='https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.6.0/highlight.min.js' id='qualys2020-highlightjs-js'></script>
<script src='https://cdnjs.cloudflare.com/ajax/libs/waypoints/4.0.1/noframework.waypoints.min.js' id='waypoint-js'></script>
<script id='qualys2020-script-js-extra'>
var qualys2020Script = {"ajaxurl":"https:\/\/blog.qualys.com\/wp-admin\/admin-ajax.php","current_page":"0","max_page":"0","archive_type":"all","content_id":"33129"};
</script>
<script src='https://ik.imagekit.io/qualys/wp-content/themes/qualys2020/script/script.js?ver=1.0.3' id='qualys2020-script-js'></script>
<script src='https://ik.imagekit.io/qualys/wp-includes/js/comment-reply.min.js?ver=6.2.2' id='comment-reply-js'></script>
<script src='https://static.cloud.coveo.com/searchui/v2.10085/2/js/CoveoJsSearch.Lazy.min.js' id='coveo-script-js' integrity='sha512-vueueBf3ND6Jj5E31AIFE28WnA2gQaGt3jHb+Wx5c0bDFBiKgQ8in3T9L4nVHC02v1uEgsrD4vL6pgYUGwZ3Kw==' crossorigin='anonymous'></script>
<script src='https://ik.imagekit.io/qualys/wp-content/themes/qualys2020/script/coveo.js' id='q-script-coveo-js'></script>
<script src='https://cdnjs.cloudflare.com/ajax/libs/fancybox/3.5.7/jquery.fancybox.min.js' id='fancybox-script-js'></script>
<script defer src='https://stats.wp.com/e-202325.js' id='jetpack-stats-js'></script>
<script id='jetpack-stats-js-after'>
_stq = window._stq || [];
_stq.push([ "view", {v:'ext',blog:'105655880',post:'33129',tz:'-7',srv:'blog.qualys.com',j:'1:12.2'} ]);
_stq.push([ "clickTrackerInit", "105655880", "33129" ]);
</script>
<script id='jetpack-carousel-js-extra'>
var jetpackSwiperLibraryPath = {"url":"https:\/\/blog.qualys.com\/wp-content\/plugins\/jetpack\/_inc\/build\/carousel\/swiper-bundle.min.js"};
var jetpackCarouselStrings = {"widths":[370,700,1000,1200,1400,2000],"is_logged_in":"","lang":"en","ajaxurl":"https:\/\/blog.qualys.com\/wp-admin\/admin-ajax.php","nonce":"5ea1ab5c38","display_exif":"0","display_comments":"1","single_image_gallery":"1","single_image_gallery_media_file":"","background_color":"black","comment":"Comment","post_comment":"Post Comment","write_comment":"Write a Comment...","loading_comments":"Loading Comments...","download_original":"View full size <span class=\"photo-size\">{0}<span class=\"photo-size-times\">\u00d7<\/span>{1}<\/span>","no_comment_text":"Please be sure to submit some text with your comment.","no_comment_email":"Please provide an email address to comment.","no_comment_author":"Please provide your name to comment.","comment_post_error":"Sorry, but there was an error posting your comment. Please try again later.","comment_approved":"Your comment was approved.","comment_unapproved":"Your comment is in moderation.","camera":"Camera","aperture":"Aperture","shutter_speed":"Shutter Speed","focal_length":"Focal Length","copyright":"Copyright","comment_registration":"0","require_name_email":"1","login_url":"https:\/\/blog.qualys.com\/wp-login.php?redirect_to=https%3A%2F%2Fblog.qualys.com%2Fvulnerabilities-threat-research%2F2023%2F05%2F17%2Fnew-strain-of-sotdas-malware-discovered","blog_id":"1","meta_data":["camera","aperture","shutter_speed","focal_length","copyright"]};
</script>
<script src='https://ik.imagekit.io/qualys/wp-content/plugins/jetpack/_inc/build/carousel/jetpack-carousel.min.js?ver=12.2' id='jetpack-carousel-js'></script>
<script defer src='https://ik.imagekit.io/qualys/wp-content/plugins/akismet/_inc/akismet-frontend.js?ver=1686295423' id='akismet-frontend-js'></script>

</body>
</html>
